A U.S. Air Force officer listens to a briefing during the 635th Supply Chain Operations Wing Logistics Readiness Squadron annual summit. During the briefing, participants had the opportunity to hear and learn from members of the highest levels of the Air Force logistics community. U.S. Air Force photo by Airman 1st Class Solomon Cook, USAF

Naval Supply Systems Command Business Systems Center staff supports Fleet Logistics Center–Jacksonville warehouse employees using Naval Mobile Computing tablets. The center provides the Navy with information systems support through the design, development and maintenance of information systems in the functional areas of logistics, supply chain management, transportation and finance. U.S. Navy photo by James E. Foehl/Released

Supply Chains May Pose Weakest Security Link

July 1, 2019

By Chris Nissen

The changing character of war requires capabilities delivered without compromise.

Adversaries are exploiting the inherent vulnerabilities of U.S. military supply chains that involve tens of thousands of private sector providers from all over the globe. Attack operations include stealing valuable technical data; striking critical infrastructure, manufacturing and weapon systems control systems; corrupting the quality and assurance across a broad range of product types and categories; and manipulating software to access connected systems and to degrade systems operation integrity.

The United States must respond holistically to these modern threats and can do so by placing a risk score on supply chain liabilities. This approach would require independent risk scores of all suppliers, much like financial institutions use credit scores to quantify the financial risk of individual companies. Fair Isaac Corporation, or FICO, and others are exploring the idea of a cyber scoring system for businesses, which is a solid approach.

The scoring of entities—individual services or components providers—can and should be handled outside of the U.S. government. However, agencies, and particularly the U.S. Defense Department, must actively work to understand their contractors’ entire supply chain. This process would include internal or external monitoring and continuous assessments of the cumulative third-party security risk posed to the end product or service.

For example, many types of combat systems increasingly rely upon sensors, actuators and software-activated control devices; a modern aircraft has more than 10 million lines of code. Last year, Defense Department officials testified before the House Armed Services Committee that “Deliver Uncompromised” was the basis of a strategy to address increased losses of defense weapon and information systems that had fallen prey to attacks.

In developing the report, the organization’s experts examined options that span from legislation, regulation, policy and administration to acquisition, oversight, programs and technology. It proposed near-, mid- and long-term actions that could be taken to address the problem. Following the report’s publication, the Government Accountability Office and the Defense Department’s Inspector General published reports outlining increased losses of critical space and weapons systems and large-scale lack of attention to supply chain security.

Earlier this year, news articles described the mounting losses the U.S. suffers in this asymmetric era. For example, in March, the Navy Times cited an internal Navy review that declared the service and its contractors were “under cyber siege by a host of nefarious actors—including Chinese government hackers—who exploited critical U.S. cybersecurity flaws to steal troves of national security secrets from the defense industry.”

Simultaneous to the disclosure of the Navy review’s results, Congress and the executive branch became increasingly concerned about cyber threats and passed several key pieces of legislation, with more likely on the way.

But surprisingly, limiting third-party risk in acquisitions is still not an official U.S. government or Defense Department policy, even though massive integration of information, software and manufacturing systems layered onto a global economy enable sabotage at scale. Adversaries place the Defense Department’s vast ecosystem of private sector suppliers under incessant attack. They use a variety of tactics to introduce vulnerabilities into the military’s industrial supply chains to steal intellectual property, develop intelligence collection networks, disrupt and deny operation of a system at critical times, or reduce reliability and assurance by inserting counterfeit or degraded components.

Today, procurements are based on three pillars: cost, schedule and performance. These ignore the danger to warfighters and others when they use systems purchased that overlook what should be the fourth acquisition pillar: security.

Making security a true fourth pillar of acquisition requires an independent means of measuring and assessing contractors and subcontractors. Because not all contractors offer equal levels of security, basing contract awards solely on the lowest price reduces their incentive to monitor and protect their enterprises and supply chains. Consequently, the products they deliver to the U.S. government may not be secure.

Although security is fundamental, it should be presumed that a prime contractor with sufficient security could sell its products and services to the Defense Department, but not all contractors are equally strong in all dimensions. Security monitoring must take place well beyond contract award because the supply chain typically isn’t in place until after the contract is awarded; however, prime contractors ultimately still must be held accountable for security. To address asymmetric warfare, the U.S. government must minimize third-party risk in its acquisitions by refusing to accept third-party risks from contractors.

Introducing cybersecurity as a discriminator among companies will not harm the competitive bid process especially in an era where news headlines and government reports incessantly declare massive losses of Defense Department weapon systems’ details to nation-state adversaries.

Ensuring security after the contract award also requires the entire supply chain to be continuously mapped out and risks closely monitored throughout the life cycle of the program, which calls for professionals skilled in defining and measuring uncompromised acquisitions.

Although information sharing among contractors and subcontractors can be a reason for concern, it is unlikely that making security a contract requirement would cause companies to stop sharing cyber threat information. Many industries already compete in the free market while sharing this information, including the financial, automotive and health care sectors, which have far tighter profit margins than the defense industry.

Threat information must be shared because every contractor is a target and none of them is equally strong in all attack spaces. By openly communicating about dangerous activity, the overall security posture of the entire industrial base will grow.

Because of the recent increase in consolidation of tier-one contractors, a great amount of overlap exists in the utilization of lower-tier suppliers across many contract awards. As a result, competition for multiple contracts will be a force multiplier as individual security improves.

Although contract privity limits prime contractors’ ability to see into their supply chain beyond their immediate subcontractors, designating trusted third-party intermediaries between the protected subcontractors and prime contractors would address this issue. This third party would monitor the supply chain via contract flow-down clauses. The members of the supply chain would report individual and collective risk levels to the third party that would share them with the prime and the government contracting office. While the third party would be privy to the entire supply chain for each contract, the supply chain members’ identities would be protected.

In addition to these tactics, the government should seek to protect contractors that make good faith, informed reports on cyber and supply chain attacks from third-party lawsuits. This protection might require new legislation to create a National Supply Chain Intelligence Center. The center would warn contractors about strategic threats and provide all-source information sharing, much like the National Counterterrorism Center did after 9/11. It also would give contractors a legal “safe harbor” to share threat information.

Other options to improve supply chain security include tax incentives and low or no-cost loans for small companies to improve their security posture. In addition, supply chain insurance may motivate the defense industry to improve cyber and supply chain security. This could be especially important for the smaller subcontractors, who are the most vulnerable targets.

A consistent risk scoring system across the U.S. government is essential as a measurable differentiator, so the agencies responsible for protecting the U.S. supply chains—Defense Department, National Counterintelligence Security Center and Department of Homeland Security—must work closely with Congress and the private sector. In addition, multinational cooperation will be key because of the international nature of system compromises.

The character of conflict is changing, and the responses to it must change with it. It is clear that the military’s mission readiness and its ability to project force are at grave risk from attacks on supply chains, lowering the safety and security of nations and citizens. Focusing on security from the assembly lines to the front lines is one way to address this threat.

Share Your Thoughts:

This is a topic I have been trying to raise awareness on for some time. This article covers many of the component and human resource providers, but one that has slipped under the covers is basic IT/Cyber Security purchases. These are the ones done off GSA, SEWP, NETCENTS, etc. Many of the GWAC contracts were originally started for commodity purchases. Did not matter where you got it, the product was the same and you handled how to use or consume it. How-ever, Cyber Security components are part of a system (or should be). And it depends on each organizations value and reliance on Cyber Security. If it's a "nice to have" then does not matter where you get it. If your SIM, DLP, UTM, APT, etc. is critical to the organizations mission you better trust who you got it from, and have a long term relationship with them. There are so many changes and challenges in deploying, managing, updating Cyber solutions that there should be a team involved, one with a track record and history of the project and customer. Vendors today do not protect their resellers for the renewals and add on's into each organization. They have "deal registration" and no price protection for their partners that provided a solution to a particular customer. They just allow a "even playing field" and low bid to guide the purchase - saying that is the law. It is not, but its easy to hide under. For Tomato Juice or Cement that may be OK. For that APT solution that needs to plug into 5 different other solutions, needs customization for the particular customer, had several problems in the past (what exactly were those again?) having 4 different vendors on file for the last 4 years purchases is a recipe for disaster, in my opinion.
I can name off the top of my head many different examples in the Government space where sensitive to classified information was compromised because the vendor sent the wrong thing, did not update the customer of a important change, or simply released a press release or said something they should not have. But they did not provide the initial solution, did not do the proof of concept or trouble shooting with the customer, did not become part of the evaluation and deployment team, they just got a renewal for the maintenance or add on from being the low bidder. And that is who is on record at the agency of who to call. In many cases, they have to call them. And they have no idea of the problem or even who to call at the vendor.
For me I would never do business with a supplier that does not care who I procure their product or service from. Whether is a my contractor who changes plumbers for each room, or my Firewall vendor that allows a low bid contractor to get my renewal or upgrade. Cyber Security for me is serious business. But the Government in many cases allows this to happen - saying "those are the rules" or "we cant change that". Actually they can, there are many options available under the law. It's just that most agencies are not aware of what those options are, and they do business with vendors who do not care.
It did not used to be this way, and projects I worked on for 10 years worked pretty well. We overcame the issues - because of our history. But this is not the case today, and it pains me to see so many problems that in my opinon are not necessary.
Just my thoughts. Anyone want to post examples or or counter argument? Worth a discussion.

This is an area that I have been leading research on each year. We publish as part of the State of the Software Supply Chain Report. Now in its fifth year, the report examines the rapidly expanding supply and continued exponential growth in consumption of open source components. While over 80% of a modern application is built from open source components, not all of these component parts are created equal. Last year, 1 in 10 of the components downloaded by developers - who use the parts in their applications - had a known security vulnerability. The integrity of our software is at risk when organizations do not pay attention to what is being consumed within their software supply chains.

The Deliver Uncompromised report points to many of the same issues around software supply chain integrity, including malicious code injection techniques being used by adversaries The State of the Software Supply Chain report complements Deliver Uncompromised by offering empirical evidence of the practices and security threats on a global scale.

This is a great area to focus on - the recent Android vulnerability is a perfect example. How-ever the chain moves all the way up to the end user and application. You mention 10% of code is vulnerable. Simply providing the wrong tool for the job can be even more damaging, and my experience of seeing the actual tools in the field and how organizations were using them is even more prevalent. The incentive for cost, ease of acquisition, misrepresentation, fraud is just to high. Who you deal with can be more important than what you get - but both have risk. I think good oversight and making the process better for both is important. We are probably weak on the who you deal with part.